Add mount namespace support 添加挂载命名空间支持#2909
Conversation
f1d0616 to
6139570
Compare
|
I think this feature is excellent, but the implementation is somewhat tricky and may be difficult to maintain. Is there a simpler or more sustainable way to achieve this? |
setns系统调用的实现代码 Implementation code of the setns system call |
we also have weak close_fd here already. tiann#2909
we also have weak close_fd here already. tiann#2909
we also have weak close_fd here already. tiann#2909
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
Changes on top of upstream (+69): workflows: debloat workflows: debloat pt. 2 dummy.keystore ksud: add armeabi-v7a support manager: failure mode dummy demo manager: unofficial build manager: Add ABI and Kernel archirecture info into InfoCardItem ksud: prevent 32-on-64 pointer mismatches on sepolicy ksud: add avc spoof to feature kernel: remove unsupportable code kernel: restore compat code required for old kernels kernel: compat: remove ksu_android_ns_fs_check Reapply: "Handle unmount for isolated process correctly (tiann#2696)" kernel: core_hook: backport ksu_enhanced_security rules kernel: add support change mount namespace with app profile (tiann#2909) kernel: core_hook: disable seccomp for allowed uids kernel: supercalls: provide sys_reboot handler kernel: supercalls: backport: "Use task work to install fd" kernel: supercalls: partial backport of do_manage_mark kernel: selinux: force sepol_data.sepol to be u64 kernel: core_hook: screw path_umount backport, call sys_umount directly kernel: throne_tracker: offload to kthread (tiann#2632) kernel: ksud: migrate ksud execution to security_bprm_check (tiann#2653) kernel: core_hook: migrate init_session_keyring grab to security_bprm_check kernel: expose allowlist workaround as Kconfig option kernel: app_profile: shim escape_with_root_profile kernel: allowlist: escape persistent_allow_list to kthread kernel: sucompat: increase reliability, commonize and micro-optimize (tiann#2656) kernel: sucompat: sucompat toggle support for manual hooks (tiann#2506) kernel: sucompat: use seccomp.mode for permission check kernel: app_profile: do not disable seccomp again kernel: expose KSU_LSM_SECURITY_HOOKS on Kconfig kernel: sucompat: provide do_execve_common handler for < 3.14 kernel: sucompat: provide getname_flags (user) ultimatum hook kernel: sucompat: provide getname_flags (kernel) ultimatum hook kernel: file_wrapper: handle more compat kernel: file_wrapper: handle readdir and iterate compat for UL kernel: ksud: provide is_ksu_transition check v4 kernel: kp_ksud: restore kprobes for early-boot and used-once hooks kernel: kp_ksud: add security_bounded_transition hook for < 4.14 (tiann#1704) kernel: kp_ksud: add sys_reboot kp hook kernel: rp_sucompat: add kretprobes-hooked getname_flags for sucompat kernel: extras: base implementation of avc log spoofing kernel: extras/avc_spoof: add kprobe support kernel: extras: add avc spoof to feature kernel/extra: replace sensitive context with priv_app kernel: apk_sign: casting to char for strcmp -> memcmp kernel: apk_sign: migrate generic_file_llseek -> vfs_llseek kernel: core_hook: no ext4_unregister_sysfs, no problem kernel: ksud: d_is_reg to S_ISREG kernel: Makefile: remove overlayfs requirement kernel: throne_tracker: resolve s_magic for < 3.9 kernel: ksud: handle conditional read_iter requirement for < 3.16 kernel: throne_tracker: handle filldir_t ABI mismatch on <= 3.18 kernel: compat: iterate_dir -> vfs_readdir compat for < 3.11 kernel: sucompat: bruteforce writeable stack from start_stack for < 3.8 kernel: compat: provide bin2hex compat for < 3.18 kernel: compat: add strscpy pseudo-compat for < 4.3 kernel: compat: file_inode compat for < 3.9 kernel: compat: provide weak anon_inode_getfd_secure for < 5.12 kernel: compat: provide selinux_inode wrapper for < 5.1 kernel: compat: provide selinux_cred wrapper for < 5.1 kernel: apk_sign: fix return check for ksu_sha256 kernel: handle backports kernel: apk_sign: add more size/hash pairs kernel: ksu: printout quirks / backports / etc on init kernel: scripts: kuid_ul_fix: add small script as helper kernel: selinux: fix wrong return type KernelSU v2.1.2+ Warning: Managers built from this repo has a known keystore. See dummy.keystore. Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <[email protected]> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <[email protected]> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <[email protected]> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <[email protected]> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <[email protected]> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <[email protected]> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <[email protected]> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <[email protected]> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <[email protected]> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <[email protected]> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
TODO: add comments devlog and shit backslashxx@6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 backslashxx@7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
-Cherry-picked and squashed from: https://github.com/pershoot/KernelSU-Next/tree/dev-susfs ..... kernel (susfs (v2.0.0)): Synced with official KernelSU main repo Author: simonpunk <[email protected]> Date: Mon Dec 15 20:03:01 2025 +0800 - See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Let ksud bootstrap Author: pershoot <[email protected]> Date: Mon Dec 29 21:36:12 2025 -0500 -Do not short-circuit; this will cause loss of root if this returns early (like on my / few specific device(s)) due to timing differences during init. kernel (susfs (v2.0.0)): Fixed ksu features not enabled and ksu fd not released Author: simonpunk <[email protected]> Date: Wed Dec 17 00:16:34 2025 +0800 -Synced with official KernelSU main repo - See tiann@91ed4ea -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed compile error Author: simonpunk <[email protected]> Date: Sun Dec 21 01:30:55 2025 +0800 -Synced with official KernelSU main repo - See tiann@3d73f89 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Synchronize with upstream Author: pershoot <[email protected]> Date: Tue Dec 30 06:39:56 2025 -0500 -'kernel (susfs (v2.0.0)): Let ksud bootstrap' -> 'KernelSU: Fixed root not accessible on some Samsung devices and AOSP devices' -Init. call at end; amend / add comments -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Fixed selinux issues by the fix from upstream Author: simonpunk <[email protected]> Date: Wed Dec 31 09:05:32 2025 +0800 -Remove ksu_enhanced_security_enabled check in ksu_handle_setresuid() since it may lead to side channel detection - For selinux issues, see tiann@f71d011 - For ksu_enhanced_security_enabled issue, Now no matter what value is set for the toggle "Enable enhanced security" in ksu manager, it will NOT be effective nor used to check in ksu_handle_setresuid() -Note: This was partially taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' coinciding with: 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Added newfstatat syscall hook for handling latest Android Canary Author: simonpunk <[email protected]> Date: Sun Jan 11 21:48:35 2026 +0800 -Sycned with official KernelSU main repo - See tiann@df64091 -Note: Some of this was taken care of in: 'kernel (susfs (v2.0.0)): Synced with official KernelSU main repo' to coincide with: 'kernel: ksud: Refine rc injection, fix issue of Android Canary 2601' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Fix stat issue when injecting to init.rc for latest Android Canary and qpr3 beta2 Author: simonpunk <[email protected]> Date: Sat Jan 17 21:38:43 2026 +0800 - Sorry for my blinded eyes again since I did not read the references by the upstream fix carefully, it should hook fstat instead of newfstatat, and by hooking vfs_fstat we do not need to care which syscall family it uses -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Refined and renamed hide_sus_mnts_for_all_procs to hide_sus_mnts_for_non_su_procs Author: simonpunk <[email protected]> Date: Tue Jan 20 11:53:55 2026 +0800 - There is no good reason to even hide the sus mounts for su process at all and it makes ReZygisk not able to determine what to umount. - Now it can prevent zygote itself from caching the sus mounts while at the same time ReZyisk can still see them simply because the job is done by its daemon process which is running with su context. - So now the scenarios become like this: 1. No Zygisk enabled / ReZygisk enabled but without TreatWheel module => Enable hide_sus_mnts_for_non_su_procs in post-fs-data.sh, then disable hide_sus_mnts_for_non_su_procs in boot-completed.sh or leave it enabled. 2. [Zygisk Next|Rezygisk + TreatWheel|NeoZygisk] enabled => No need to enable/disable hide_sus_mnts_for_non_su_procs since they can handle traces left by zygote already. ** Friendly reminder ** - It is suggested to disable hide_sus_mnts_for_non_su_procs in boot-completed.sh since having it enabled will cause a bit more overheads unless there are sus mounts you do not want them to be umounted but do want them to be just hidden from proc mounts. -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 KernelSU (susfs (v2.0.0)): Remove duplicated log and changed to a proper log message Author: simonpunk <[email protected]> Date: Wed Jan 21 12:56:39 2026 +0800 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel & KernelSU (susfs (v2.0.0)): Replaced susfs_is_boot_completed_triggered with susfs_is_sdcard_android_data_decrypted Author: simonpunk <[email protected]> Date: Mon Feb 2 14:13:08 2026 +0800 -Sync with the official KernelSU main repo - 1st scene: There will be still some processes spawned by init after /data is decrypted, these processes will still go through the sucompat checks which takes more CPU cycle. 2nd scene: There can be some mounts mounted after /data is decrypted like yt rvx module, these mounts will leave a mnt_id gap or mnt_group_id gap if it is not a bind mount. So to mark no sucompat checks for all init spawned processes, and to capture the ksu mounts and leave no mnt_id/mnt_group_id gaps as much as possible, here we start a kthread after boot-completed stage to keep monitoring the accessbility of path /sdcard/Android/data in loop per 5 seconds with maximum 60 attempts. When it is accessible, we sleep for 5 more seconds just in case there are still some modules mounting stuff. On the contrary, the path will still be deemed as accessible after 60 failed attempts just to prevent infinite loop - For upstream commit, see tiann@35d8162 -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1 kernel (susfs (v2.0.0)): Various fixes for SUS_PATH and SUS_MOUNT -plus overall code improvement and optimization Author: simonpunk <[email protected]> Date: Sat Feb 14 01:06:42 2026 +0800 - Remove the need of flagging /sdcard or /sdcard/Android/data, so we can just do "ksu_susfs add_sus_path </sdcard/TWRP|/sdcard/Android/data/com.example.myapp" for example. To completely prevent unicode exploit users can pick up the patches from here if needed: https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1%2B.patch / https://github.com/WildKernels/kernel_patches/blob/main/common/unicode_bypass_fix_6.1-.patch - To deal with FUSE based path, first we check for the inode->i_sb->s_magic, if its magic is FUSE, then we use get_fuse_inode(inode) API to retrieve its fuse inode and flag SUS_PATH on fi->i_mapping->flags. - Remove overall overheads as we can now get rid of linked list to check for sus path in "/sdcard" and "/sdcard/Android/data", however, for add_sus_path_loop we still need it. But we can consider to use userspace inotify to watch specific paths and pass list of paths to add_sus_path when needed, that will reduce the overheads of iterating the SUS_PATH_LOOP linked list every time zygote spawns a new process. - Apply only on proc with uid >= 10000 and marked umounted. - Fixed deadlock and race issues, see 4803afa7 and 068ebeb3 - d_lookup(), __d_lookup() and __d_lookup_rcu() will just return NULL if no dcache is found, so we can just dput() the dentry and set it to NULL, no need to do extra lookup with fake qstr. - Use d_lookup_done(dentry) to make sure "dentry->d_flags &= ~DCACHE_PAR_LOOKUP" and "dentry->d_wait = NULL" if it is found sus, and re-use DECLARE_WAIT_QUEUE_HEAD_ONSTACK(wq); - Fix several race issues by using proper locks: down_read(&namespace_sem); // needed when manipulating mnt_namespace lock_ns_list(mnt_ns); // needed when traversing mnt_ns->list lock_mount_hash(); // needed when modifying mount -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
- See tiann@c95c2d7 -Makefile -> Kbuild (build-time info.) -Accommodate: 'Add mount namespace support 添加挂载命名空间支持 (tiann#2909)' 'kernel: fix root_groups defs (tiann#3028)' 'sulogv2' 'kernel, ksud, manager: Remove enhanced security feature' (https://github.com/KernelSU-Next/KernelSU-Next/pull/1035/commits) 'Explicitly check zygote start in execve hook' 'selinux: Cache SID lookups for domain checks' 'kernel: ksud: Refine rc injection' 'kernel: supercalls: expose spoof uname function to userspace' 'kernel: Fix setup_selinux using __task_cred directly' -https://gitlab.com/simonpunk/susfs4ksu/-/tree/gki-android14-6.1
TODO: add comments devlog and shit 6d100ac https://github.com/backslashxx/KernelSU/tree/384de6420b64850a4cf2abbb83171f151a851c7f ximi-mojito-test/mojito_krenol@33ae97f https://github.com/ximi-libra-test/android_kernel_xiaomi_libra/tree/52810d22428875cca163cb52fd2819120e0b8120 7866f4e * upstream: tiann#2909 Signed-off-by: backslashxx <[email protected]>
tested on nx769j android14-6.1 kernel , terminal app is termux
inherit mode
kerenlsu default behavior
global mode
independent mode